Rob Golding

As an update to the previous post regarding the installation of a new IPCop as my network firewall, I have finally completed the configuration of its VPN service for use as a Roadwarrior. I can now connect to the IPCop machine from my laptop, using the OpenVPN client from anywhere in the world.

I was surprised with the ease of configuration once an addon called “Zerina” was installed. This made the process extremely simple to complete, even offering to package up an OpenVPN configuration file and certificate combination - so all that is needed to connect is one click!

With regards to the IPCop machine itself, it is one of the most stable servers I have ever put into operation. I literally installed the O/S (about 50mb) a couple of weeks ago - and since then there has been not one issue. Not even a restart - it’s just been chugging away on that old 400MHz Pentium II. I am in awe of the little thing - which is actually proving to be a damn sight faster than the overpowered and clunky ISA Server that I used to use.

Also, with the terrible OpenVPN logo, and the lack of suitable IPCop art, I hope the visio diagram to the left bears a resemblance to this post that could be appreciated by the reader. I definitely think it makes the post something special, would you not agree?

My latest project, to replace the bulky overpowered ISA firewall on my home network with a lean mean IPCop machine, was declared a great success a few days ago.

I am familiar with IPCop, as I used to use it a long time ago. Since then it has matured somewhat, but the feature set is pretty much the same as I remember. The new machine is a 400MHz PII, with 192mb RAM. It is sitting in the place of a Sempron 3000+ with 1GB RAM. Amazing, it’s doing the same job with a fraction of the power. And also, it uses a third of the electricity - 30W in total. Good news given the rise in energy prices!

The main challenge so far, which I still haven’t overcome, is how to get RoadWarrior VPN working, using the windows built-in VPN client, with L2TP/IPSec. This used to be trivial with ISA Server, but this isn’t quite the case with a linux firewall. I have been looking at other distributions such as monowall and pfSense, niether of which seem to spell out their ability to achieve this clearly. I am playing with a few of these on Virtual Machines, so hopefully I will come accross a way to do this before long - I’m starting to miss my RoadWarrior VPN server. How sad, eh?

As a matter of curiosity more than anything, I often wonder whether other people’s methods and practices for setting up AD are similar to my own. I will explain as best I can my own procedure, in an attempt to see how it compares to the rest of the IT community.

Firstly, I install DNS on the Domain Controller to-be. I don’t do any configuration on the service, just install it. Then, running DCPromo, I allow the wizard to configure the DNS Service for me. This makes sure that the two separate zones will be present - _msdcs.domain.name, and domain.name. This seems much neater to me, and I like to see this result - so I allow the wizard to take care of it.

When the domain is installed, the first thing I usually do is open up the default domain policy and remove all the password complexity options. These are usually just an annoyance - and unless the network has any particular security needs, I disable them all. Maybe leaving the length value at 6 if it’s inappropriate to turn it off completely. I like managing GPO’s from the Group Policy Management Console (GPMC), so that usually gets installed straight away.

In regard to the structure of the domain, I make an OU with the domain’s Netbios name in the root, and under that I create some OU’s as follows:

• Computers
• Distribution Groups (If Exchange will be installed)
• Security Groups
• Servers
  • Exchange Servers (for a special shutdown script)
• System Users
• Users

As for an explanation for that Exchange Servers OU, I make a shutdown script to stop all the exchange servers when it shuts down, to make the process a hundred times faster. I am so impressed by this technique, it works flawlessly every time. This OU allows me to assign the shutdown script via GPO to all Exchange Servers in the domain. Note that the DC stays in its own Domain Controllers OU that is created by the system automatically.

I guess at this point I’m feeling like I should do a backup of the DC. DHCP servers need authorizing, and Remote Desktop needs configuring. When that’s done, we’re basically there. Get the clients joined to the domain and we’re off!

I have no idea whether my procedure is similar to anyone elses, or in any way superior (or indeed inferior) to others. Give me some opinions anyway, it will be interesting to hear from the rest of the community.